How to Move Towards GDPR Compliance
Even when you know where your website stands concerning GDPR compliance, you can have no idea how to take it that extra step or two in the right direction. There’s no single method that can ensure that your website is absolutely compliant, but if you combine a couple of them, your chances of creating a website that will conform to all the rules set forth by the lawmakers from Brussels go up.
Here are some of the things you should do to make your website more GDPR compliant.
1. Consult a Professional
Once again, we have to restate that reading a blog post about GDPR is not the same as getting valid legal advice from an expert. Whether you hire a legal theme to perform an audit or put your legal counsel in the team that’s putting the compliance measures in place, make sure that there’s someone who understands both the law and the tech involved. At the very least, have them perform an audit after you’ve done every other thing on this list.
2. Make Sure You Understand What Personal Data You Gather and Why
One of the more important things GDPR did was update the definition of personal data to include any type of data you can relate to an identifiable person, including IP addresses, RFID tags, and cookie identifiers.
You should take the plugins you’re using, APIs, extensions, and pour over their documentation in search of the explanation of the data they gather. Everything from Google Analytics to your store’s payment processing service needs to be examined, and you need to be aware of which piece of data goes where. You are accountable for it all as a controller.
3. Let the Visitors Know What You’re Gathering and Why and Give Them the Ability to Consent
Your Privacy Policy, Terms of Use, and other documents should contain a reference to the use of personal data where appropriate. You have to disclose the data you’re gathering and the reason why you’re doing it.
You can rely on the Privacy Policy WordPress now generates by default if you’re new to creating these kinds of documents, at least for inspiration. The Policy should reflect the data you collect and the reasons you have for collecting it.
Also, keep in mind that consent needs to be explicit under GDPR, and it needs to be provided in an active manner. So you have to give users something to do that signifies their explicit consent to have their data processed. Usually, a checkbox will do.
4. Review All the Points Where You Gather Data
Some plugins have to collect personal data to work properly. Other plugins have data collection as their sole purpose. You’ll need to revisit specimens of both kinds that have their place in your website and check if they’re compliant. Remember, consent is usually the easiest ground to legalize data processing, but it’s not the only one.
Here are some of the more popular services and plugins and how you can go about making them GDPR compliant:
If you haven’t already, install one of the many plugins that inform the users about cookies and asks for their consent. GDPR Cookie Consent is a popular option.
6. Provide Data Portability Options
Your website visitors should be able to retrieve from you every single piece of their data that you’ve gathered. They should also be able to ask you to delete their data. Since WordPress 4.9.6, you’re able to comply with these requests. You just need to be able to receive them.
The solution to this issue can be as simple as putting your email address in the Privacy Policy and letting website visitors know they can use it to request a copy of their data. You can also use contact form plugins with custom request form templates to make it all look a bit fancier.
When you receive a request, head over to your dashboard and, Under Tools, navigate to either Erase Personal Data or Export Personal Data. Here you’ll find a list of website users who have requested to review their data or to have it removed. You will have to send them a request email and once it’s confirmed, WordPress will automatically create a downloadable ZIP file, for users requesting data export. For erasure, the final step is deleting their data from your database.
7. Revisit Your Security Provisions
Hacking and other cybercrime acts often target user data and data security is one of the key GDPR principles. Frequent revisions of your website security measures is a good practice at any rate, and especially so when making sure your website is GDPR-compliant.
In addition to using one of the many excellent WordPress security plugins, you may also want to consider using HTTPS protocol. Together with SSL, this protocol protects the data transfer between you and your users. These days, both these solutions are basically a given – a lot of browsers have settings that notify users when they’re accessing a non-HTTPS website, and SSL certificates are included in all the best hosting packages. Still, if you’re not using them yet, now’s the time to start. And make sure to check out our ultimate WordPress security checklist to make sure you’re covering all the angles.
8. Report a Breach if It Happens
Under the GDPR, you have an obligation to inform authorities about data breaches within 72 hours of their occurrence. If the breach presents a high risk to an individual, you should let them know, too.
9. Consider Server-Side Tracking
Server-side tagging and tracking is one of the solutions that’s recently been touted as a great workaround for cookie deprecation and reduced client-side tracking abilities. In this form of tracking, data is collected and processed on the server, which means more secure and reliable data management. Server-side tagging or tracking will not make you automatically GDPR-compliant, as you’ll still have to implement things like consent management, data privacy provisions, data erasure when requested, and so on. In addition, you will still require user consent. But, you will get to control which data third parties get, remove sensitive data and personally identifiable information, as well as modify it before sending it to any vendor.